Banking Trojan Coyote Steals Data by Simulating Interface Operations

📟 News

Date: 25/07/2025

The new variant of the banking Trojan Coyote exploits accessibility features in Windows, specifically the Microsoft UI Automation framework. In this way, the malware detects banking and cryptocurrency exchange websites visited by the user and steals their credentials.

Microsoft UIA is a framework designed to allow assistive technologies to interact with elements of Windows application interfaces: read their properties, control them, and monitor changes. Applications present their structure as a UI Automation tree, and the UIA API allows browsing this tree, obtaining data about interface elements, and interacting with them by emulating user actions. All of this is intended to enable people with disabilities to fully utilize all the capabilities of their devices.

As early as December 2024, specialists from Akamai warned that UIA could be used for credential theft, emphasizing that this technique would allow bypassing EDR protection in any version of Windows starting from XP.

Now Akamai reported that their predictions are coming true: since February 2025, experts have observed real attacks using this technique, and it is the first known case where malware exploits Microsoft UIA capabilities for data theft.

The banking trojan Coyote has been active since February 2024. This malware aims to steal credentials from 75 banking and cryptocurrency applications, primarily targeting users in Brazil. When the malware was first discovered, it used keylogging and phishing overlays, but since then, Coyote has undergone significant changes.

According to researchers, the new version of Coyote continues to steal data using traditional methods, but also has added functions in its malware code to exploit UIA, which are used when a user opens banking or cryptocurrency services in a browser.

If Coyote cannot identify the object by the window title, it uses UIA to extract the web address from the browser’s UI elements (tabs or address bar). It then compares the obtained result with a hardcoded list of 75 targeted services.

Among the banks and exchanges that Coyote targets using this method are: Banco do Brasil, CaixaBank, Banco Bradesco, Santander, Original bank, Sicredi, Banco do Nordeste, Expanse, as well as Binance, Electrum, Bitcoin, Foxbit, and others.

Although in this case the misuse of UIA is limited to the reconnaissance phase, Akamai specialists have demonstrated that UIA can also be used for the actual theft of credentials from targeted sites.

“Parsing nested elements of another application without UIA is a non-trivial task,” researchers say. “To effectively read the contents of nested elements of another application, a developer must have a good understanding of how the specific target application is structured. Coyote can perform checks regardless of whether the malware is online or offline. This increases the chances of successfully identifying a bank or cryptocurrency exchange to steal credentials.”

Experts remind us that on Android, the issue of abusing Accessibility Services is very acute and has long become widespread.

Related posts:
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024

According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →